Horizon dashboard and Ldap user listing results to 504 Gateway Time Out
Environment
Red Hat OpenStack Platform 13.0
Issue
- When integrating LDAP with openstack keystone times while fetching user list from LDAP server.
- It results in 504 Gateway Time-Out
Resolution
- If using a LDAP back-end for authentication, add the following clause in
/etc/openldap/ldap.confon all controller nodes.
NETWORK_TIMEOUT 2
- Then we need to modify haproxy.cfg file on all controllers (file path:
/var/lib/config-data/puppet-generated/haproxy/etc/haproxy/haproxy.cfg)
defaults
log global
maxconn 8192 <=====
...
timeout connect 10s
timeout client 20m <=====
timeout server 20m <=====
...
- Early configuration should be as below
defaults
log global
maxconn 4096
mode tcp
retries 3
timeout http-request 10s
timeout queue 2m
timeout connect 10s
timeout client 2m
timeout server 2m
timeout check 10s
- After modification it will look like below
defaults
log global
maxconn 8192
mode tcp
retries 3
timeout http-request 10s
timeout queue 2m
timeout connect 10s
timeout client 20m
timeout server 20m
timeout check 10s
- Finally, restart keystone and haproxy:
docker restart keystone <<<<<< all controller node
pcs resource restart haproxy-bundle
- This can also be done via THT parameters to keep this changes permenant
(overcloud) [stack@undercloud-0 ~]$ cat virt/haproxy_cfg.yaml
parameter_defaults:
ControllerExtraConfig:
tripleo::haproxy::haproxy_defaults_override:
timeout:
- 'http-request 10s'
- 'queue 2m'
- 'connect 10s'
- 'client 20m'
- 'server 20m'
- 'check 10s'
maxconn: 8192
Root Cause
- Keystone times out before the details are fetched from LDAP server
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.